chore(deps): update spring security to v7 (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.springframework.security:spring-security-test (source)	6.5.7 -> 7.0.2
org.springframework.security:spring-security-oauth2-jose (source)	6.5.7 -> 7.0.2
org.springframework.security:spring-security-oauth2-client (source)	6.5.7 -> 7.0.2
org.springframework.security:spring-security-core (source)	6.5.7 -> 7.0.2

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-test)

v7.0.2

Compare Source

🪲 Bug Fixes

• AuthorizationWebProxyConfiguration should only be active when both spring-security-web and spring-webmvc are on the classpath #​18315

v7.0.1

Compare Source

⭐ New Features

• Stop deploying JavaDoc outside of Antora #​18200

🪲 Bug Fixes

• An unexpected dependency appeared for spring-security-config of spring-security-web #​18307
• Fix "typ" header value in NimbusJwtEncoder-encoded JWT #​18270
• Fix broken link to Spring Boot docs #​18236
• Fix documentation resource server sample title #​18231
• Fix MyCustomDsl to use csrf(Customizer) instead of removed csrf().disabled() #​18223
• Fix typo in AnnotationTemplateExpressionDefaults documentation #​18255
• Fix typos in documentation depenendencies->dependencies #​18209
• NimbusJwtEncoder produces JWT with wrong "typ" header value #​18269
• OAuth2AuthorizationEndpointFilter should be applied after AuthorizationFilter #​18251
• Remove requireProofKey warning for non-auth-code flows #​18221
• Remove throws from MyCustomDsl in docs #​18224

🔨 Dependency Upgrades

• Bump ch.qos.logback:logback-classic from 1.5.20 to 1.5.21 #​18214
• Bump ch.qos.logback:logback-classic from 1.5.21 to 1.5.22 #​18311
• Bump com.fasterxml.jackson:jackson-bom from 2.20.0 to 2.20.1 #​18245
• Bump com.unboundid:unboundid-ldapsdk from 7.0.3 to 7.0.4 #​18262
• Bump io.micrometer:micrometer-observation from 1.14.12 to 1.14.13 #​18189
• Bump io.micrometer:micrometer-observation from 1.14.13 to 1.14.14 #​18277
• Bump io.mockk:mockk from 1.14.6 to 1.14.7 #​18274
• Bump io.projectreactor:reactor-bom from 2025.0.0 to 2025.0.1 #​18289
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.10 to 1.0.13 #​18187
• Bump org-aspectj from 1.9.24 to 1.9.25 #​18186
• Bump org.apache.kerby:kerb-simplekdc from 2.1.0 to 2.1.1 #​18215
• Bump org.junit:junit-bom from 6.0.0 to 6.0.1 #​18188
• Bump org.springframework.data:spring-data-bom from 2025.1.0 to 2025.1.1 #​18312
• Bump org.springframework:spring-framework-bom from 7.0.0 to 7.0.1 #​18213
• Bump org.springframework:spring-framework-bom from 7.0.1 to 7.0.2 #​18310
• Bump tools.jackson:jackson-bom from 3.0.1 to 3.0.2 #​18212
• Bump tools.jackson:jackson-bom from 3.0.2 to 3.0.3 #​18244

🔩 Build Updates

• Add Test for ServletRequestPathUtils.parseAndCache(method=null) #​18166
• Bump antora from 3.2.0-alpha.10 to 3.2.0-alpha.11 in /docs #​18238

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​L33gn21, @​ghusta, @​ronodhirSoumik, @​rwinch, @​sach429, and @​ziqin

v7.0.0

Compare Source

⭐ New Features

• Add a minimal authorization server configuration #​18153
• Mark GrantedAuthority#getAuthority as @Nullable #​18014
• Polish SimpleGrantedAuthority #​18062

🪲 Bug Fixes

• Correct the org.springframework.security.config.annotation.web.LogoutDsl's property description #​18026
• Fix webauthn multifactor authentication #​18163

🔨 Dependency Upgrades

• Bump org.jetbrains.kotlin:kotlin-bom from 2.2.20 to 2.2.21 #​18099
• Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 2.2.20 to 2.2.21 #​18100
• Bump tools.jackson:jackson-bom from 3.0.0 to 3.0.1 #​18097
• Update to Reactor 2025.0.0 #​18173
• Update to Spring Data 2025.1.0 #​18174
• Update to Spring Framework 7.0.0 #​18172
• Update to Spring LDAP 4.0.0 #​18175

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​Kehrlann, @​SimonVonXCVII, @​quaff, and @​therepanic

---

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone America/Havana, Automerge - "before 4am on the first day of the month" in timezone America/Havana.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Qodana for JVM

68 new problems were found

Inspection name	Severity	Problems
Unused symbol	🔶 Warning	42
Invalid YAML configuration	🔶 Warning	5
Unstable API Usage	🔶 Warning	4
Duplicated code fragment	◽️ Notice	9
Unknown HTTP header	◽️ Notice	5
Multi-dollar interpolation can be used in string literals (available since 2.1)	◽️ Notice	1
If-Null return/break/... foldable to '?:'	◽️ Notice	1
Vulnerable declared dependency	◽️ Notice	1

☁️ View the detailed Qodana report

Contact Qodana team

Contact us at [email protected]

• Or via our issue tracker: https://jb.gg/qodana-issue
• Or share your feedback: https://jb.gg/qodana-discussions

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[github-actions]

Test Results

165 tests   159 ✅  25s ⏱️
 38 suites    0 💤
 38 files      6 ❌

For more details on these failures, see this check.

Results for commit 5a176e3.

♻️ This comment has been updated with latest results.

[cloudflare-workers-and-pages]

Deploying cvix with    Cloudflare Pages

Latest commit:	5a176e3
Status:	✅  Deploy successful!
Preview URL:	https://a0c70f22.cvix.pages.dev
Branch Preview URL:	https://renovate-major-spring-securi.cvix.pages.dev

View logs

[cloudflare-workers-and-pages]

Deploying cvix-app with    Cloudflare Pages

Latest commit:	ed9be62
Status:	✅  Deploy successful!
Preview URL:	https://81cba4b0.cvix-app.pages.dev
Branch Preview URL:	https://renovate-major-spring-securi.cvix-app.pages.dev

View logs

[github-actions]

Qodana for JVM

79 new problems were found

Inspection name	Severity	Problems
Unused symbol	🔶 Warning	43
Invalid YAML configuration	🔶 Warning	6
Potentially ambiguous 'kotlin.coroutine.coroutineContext' usage	🔶 Warning	4
Unstable API Usage	🔶 Warning	4
Unresolved reference in KDoc	🔶 Warning	2
Redundant qualifier name	🔶 Warning	2
Unknown HTTP header	◽️ Notice	10
Duplicated code fragment	◽️ Notice	2
Unnecessary type argument	◽️ Notice	2
Multi-dollar interpolation can be used in string literals (available since 2.1)	◽️ Notice	1
String concatenation that can be converted to string template	◽️ Notice	1
If-Null return/break/... foldable to '?:'	◽️ Notice	1
Vulnerable declared dependency	◽️ Notice	1

☁️ View the detailed Qodana report

Contact Qodana team

Contact us at [email protected]

• Or via our issue tracker: https://jb.gg/qodana-issue
• Or share your feedback: https://jb.gg/qodana-discussions

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud